popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ngfor.vbs

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 28, 2023, 7:01 p.m. Oct. 28, 2023, 7:03 p.m.
Size 110.5KB
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5 974b499ef10e95adc829e98ec09d6565
SHA256 7607de6efbb694feef891745a82545b2f289f133de99a9029c1a92a0cc5c8911
CRC32 E9C383BD
ssdeep 1536:F+bd7SHd7Sye4Mi3mI2hb7KZ18C2NGkikGkFjGkikGkKEt0eEKU+kCKGWGPrbrbL:Ad7SHd7SyeBQZxNj53e
Yara None matched

Name Response Post-Analysis Lookup
paste.ee
A 172.67.187.200
A 104.21.84.67
104.21.84.67
IP Address Status Action
164.124.101.2 Active Moloch
172.67.187.200 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49161 -> 172.67.187.200:443 2034978 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI Potential Corporate Privacy Violation
TCP 192.168.56.103:49161 -> 172.67.187.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49161 -> 172.67.187.200:443 2034978 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI Potential Corporate Privacy Violation

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49161
172.67.187.200:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=paste.ee cd:77:4c:26:1f:f8:63:15:43:5a:ba:aa:11:f1:e7:1a:23:3e:4b:15

request GET https://paste.ee/d/XN5Mg
Symantec ISB.Downloader!gen40
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan.VBS.SAgent.gen
Rising Downloader.AgentTesla/VBS!8.16EB2 (TOPIS:E0:9qkf2iiUsAC)
Google Detected
ZoneAlarm HEUR:Trojan.VBS.SAgent.gen
Varist VBS/Agent.BFC!Eldorado
AVG Script:SNH-gen [Trj]
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge<Ü 6^!mî*<2òþÌjŒÛwæXôØN‡Á/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 976
0 0

WSASend

 buffer: FBA½=bžç‡2©A³ú ª³Y«9òP×:óÍ €à®×¿ÕÔ»&ǧ•H¬û3®Úôe¢&ß®%–¯fúu`l0ä)^ÒLù‡ê˜RZ€Š1~w]9t<k{ðÓeØöHÑ®éÇÖèÀЗÚʧ¬Ñ’8
socket: 976
0 0

WSASend

 buffer: À%£qz‚-ƒô‚,Tž(åFþÃiÙP¾HEb¢Õ©ßU…š$¤Ï)—HÒüKG—éj²ÉÒ%ЁdßÜú#Ÿ¨èF“¢öhؒ?€ö±f‡Ç¯­5ÛW¦w £ž@ÀiwPà>ߪ$ff#¿ð†×ùZbão0À߬ÉkéV»Ü2É=EtT< hÀå õ¼k;S—ó,gs¯ùÝ18zéâçËà\‹>I»}øso*ÇÜ´}Ÿ
socket: 976
0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge<Ü 6^!mî*<2òþÌjŒÛwæXôØN‡Á/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 976
0 0

WSASend

 buffer: FBA½=bžç‡2©A³ú ª³Y«9òP×:óÍ €à®×¿ÕÔ»&ǧ•H¬û3®Úôe¢&ß®%–¯fúu`l0ä)^ÒLù‡ê˜RZ€Š1~w]9t<k{ðÓeØöHÑ®éÇÖèÀЗÚʧ¬Ñ’8
socket: 976
0 0

WSASend

 buffer: À%£qz‚-ƒô‚,Tž(åFþÃiÙP¾HEb¢Õ©ßU…š$¤Ï)—HÒüKG—éj²ÉÒ%ЁdßÜú#Ÿ¨èF“¢öhؒ?€ö±f‡Ç¯­5ÛW¦w £ž@ÀiwPà>ߪ$ff#¿ð†×ùZbão0À߬ÉkéV»Ü2É=EtT< hÀå õ¼k;S—ó,gs¯ùÝ18zéâçËà\‹>I»}øso*ÇÜ´}Ÿ
socket: 976
0 0